Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Name
• Email address
• Company name
• Job title
• Secure password (stored encrypted)

1.2 Lease Document Data

When you upload and process lease documents through the Services, we collect and process:

• The full text content of uploaded lease documents
• Document metadata (file names, upload dates, file sizes)
• Extracted data including property information, tenant names, landlord names, lease terms, financial information, and other lease-related data
• User annotations, tags, comments, and custom field entries
• Chat history and queries related to specific documents

Important: Your lease documents and extracted data are used exclusively to provide the Services to you. We do not use your documents or data to train AI models, conduct analytics for other purposes, or share with any parties except as explicitly required to deliver the Services.

1.3 Technical Information

For security and service delivery purposes, we automatically collect minimal technical information:

• IP address (for security and fraud prevention)
• Browser type and version
• Access times and session duration
• Device type and operating system

This technical information is collected only to ensure service functionality, security, and to prevent unauthorized access. We do not use cookies or tracking technologies for analytics, marketing, or advertising purposes. We may use strictly necessary cookies required for authentication and session management.

1.4 Communication Data

When you contact customer support or communicate with us, we collect the information you provide in those communications to respond to your inquiries and improve our service quality.

2. How We Use Your Information

We use the information we collect strictly for the following purposes related to providing the Services:

2.1 Service Delivery

• Process, analyze, and extract information from your lease documents
• Provide AI-powered lease abstraction and document analysis
• Enable portfolio research and comparative analysis features
• Deliver interactive document query and chat capabilities
• Store and organize your lease data and extracted information
• Generate custom reports and data exports

2.2 Aggregate and Anonymized Analytics

We may create, use, and disclose aggregated and/or anonymized data derived from your use of the Services for product improvement, benchmarking, performance analysis, and research purposes. Such data does not identify you, any individual, or any specific document and is not considered personal information or User Data.

2.3 Account Management

• Create and manage your account
• Authenticate your identity and authorize access
• Manage your subscription and billing
• Respond to your inquiries and provide customer support

2.4 Service Communication

• Send critical service updates and security alerts
• Provide technical notices and system maintenance notifications
• Communicate policy updates and important account information
• Respond to support requests
• Notify you of changes to Sub-Processors (see Section 4.1)

2.5 Security and Legal Compliance

• Detect, prevent, and investigate fraud, security incidents, and unauthorized access
• Comply with legal obligations applicable to Prismera and enforce our Terms of Service
• Protect the rights, property, and safety of Prismera, our users, and the public
• Maintain system integrity and operational security

What We Do NOT Do With Your Data:

• Train or improve AI models using your lease documents or extracted data
• Use your data for marketing, advertising, or promotional purposes
• Conduct analytics on your identifiable data for purposes beyond service delivery
• Share your data with third parties except as strictly necessary for service operations (see Section 4)
• Sell, rent, or trade your personal information or lease data

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal information based on the following legal grounds:

• Contract Performance: Processing necessary to perform our contract with you and provide the Services you requested.
• Legitimate Interests: Processing necessary for our legitimate business interests, such as maintaining service functionality, creating aggregate analytics, fraud prevention, and security, provided such interests are not overridden by your rights and interests.
• Legal Compliance: Processing necessary to comply with legal obligations to which we are subject.
• Consent: Where required by law, we process personal information based on your explicit consent, which you may withdraw at any time.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We share your information only in the following limited circumstances necessary to provide the Services:

4.1 Essential Service Providers (Sub-Processors)

We share information with third-party service providers ("Sub-Processors") only as strictly necessary to deliver core service functionality. Sub-Processors are contractually obligated to use your information solely to provide their specific services to us, maintain appropriate security measures, and are prohibited from using your data for their own purposes, including training their models. Sub-Processors include providers of:

• Cloud infrastructure for secure data storage and application hosting
• AI and machine learning capabilities for document analysis and natural language processing
• Database services for secure data storage and retrieval
• Authentication and identity verification services

Sub-Processor Changes: Prismera maintains a list of current Sub-Processors available upon request. We will notify you at least thirty (30) days in advance of any new Sub-Processor being engaged. If you object to a new Sub-Processor, you may terminate your account as your sole remedy.

4.2 Business Transfers

If Prismera is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information and ensure the acquiring party honors this Privacy Policy or provides you with notice of any changes.

4.3 Legal Requirements

We may disclose your information only when required by law or when we believe in good faith that such disclosure is necessary to:

• Comply with legal obligations, court orders, subpoenas, or governmental requests
• Enforce our Terms of Service or investigate violations
• Protect the rights, property, or safety of Prismera, our users, or the public
• Detect, prevent, or investigate fraud, security incidents, or illegal activities

4.4 With Your Explicit Consent

We may share your information with third parties only when you explicitly provide consent for such specific sharing.

4.5 No Marketing or Analytics Sharing

We do not share your identifiable information with marketing platforms, advertising networks, or third-party analytics providers for purposes unrelated to delivering the Services to you.

5. Data Security

We implement industry-standard technical, administrative, and physical security measures designed to protect your information from unauthorized access, disclosure, alteration, and destruction. These measures include:

• SOC 2 Type II certification with regular independent audits
• Encryption of data in transit using TLS/SSL protocols
• Encryption of data at rest using AES-256 or equivalent
• Multi-factor authentication options for account access
• Regular security audits and vulnerability assessments
• Strict access controls and authentication mechanisms
• Employee training on data security and privacy best practices
• Incident response and breach notification procedures
• Regular backups and disaster recovery procedures
• Network security and intrusion detection systems

However, no method of transmission over the Internet or electronic storage is 100% secure. While we implement robust security measures and strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and should immediately notify us of any unauthorized access to your account.

6. Data Breach Notification

In the event of a security breach that affects your personal information, we will:

• Notify affected users without undue delay and, where required by GDPR, within seventy-two (72) hours of becoming aware of a qualifying breach
• Notify the relevant supervisory authority where required by applicable law
• Provide information about the nature of the breach, the likely consequences, and the measures taken or proposed to address it
• Cooperate with you and any relevant authorities in connection with the breach investigation

Notification timelines are subject to applicable law and may be delayed where law enforcement requests such delay or where immediate notification is not feasible due to the nature of the investigation.

7. Data Retention

We retain your personal information only for as long as necessary to provide the Services to you and fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law applicable to Prismera.

7.1 Active Accounts

For active accounts, we retain your account information and lease document data for the duration of your subscription and as long as your account remains active. You maintain full control over your data and can delete documents or information at any time through your account.

7.2 Account Closure and Data Deletion

When you close your account or request deletion of your data, we provide a thirty (30) day Export Period during which you may export your data. Following the Export Period, we will permanently delete your personal information and lease data within sixty (60) days, except where limited retention is required by law applicable to Prismera for:

• Compliance with legal obligations applicable to Prismera (e.g., tax, accounting, or audit requirements applicable to Prismera as a business)
• Resolving disputes and enforcing agreements
• Fraud prevention and security incident investigation
• Backup systems (subject to automatic deletion cycles, typically 90 days)

7.3 Customer Record Retention Responsibility

Prismera is not a records custodian, archive, or backup service. We do not assume any responsibility for your compliance with record retention requirements applicable to you or your business. You are solely responsible for maintaining independent copies of all data, documents, and records you are required by law, regulation, contract, or business practice to retain. The deletion of your data from our systems following account closure does not relieve you of your own record retention obligations. Prismera shall have no liability for your failure to independently retain records.

7.4 Data Minimization

We follow data minimization principles and periodically review and delete information that is no longer necessary for providing the Services or complying with legal obligations applicable to Prismera.

8. Your Privacy Rights

Depending on your location and applicable law, you have the following rights regarding your personal information:

8.1 Access and Portability

You have the right to access and obtain a copy of your personal information in a structured, commonly used, and machine-readable format. You can export your data at any time through your account settings or by contacting us.

8.2 Correction and Update

You have the right to correct inaccurate or incomplete personal information. You can update most information directly through your account settings.

8.3 Deletion

You have the right to request deletion of your personal information and lease data, subject to limited exceptions for legal compliance applicable to Prismera, fraud prevention, and legitimate business purposes.

8.4 Objection and Restriction

You have the right to object to or restrict certain processing of your personal information, including processing based on legitimate interests.

8.5 Withdrawal of Consent

Where processing is based on your consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

8.6 Automated Decision-Making

The Services utilize AI and machine learning to process and analyze lease documents. This processing is performed to deliver the Services you have requested and does not involve automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of GDPR Article 22. The AI-generated outputs are informational tools that require your independent review and verification before any action is taken.

8.7 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@prismera.ai. We will respond to your request within the timeframe required by applicable law (typically thirty (30) days under GDPR, forty-five (45) days under CCPA, extendable where permitted). We may require verification of your identity before processing your request to ensure data security.

8.8 Right to Lodge a Complaint

If you are located in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

9. International Data Transfers

Prismera is based in the United States. If you are accessing the Services from outside the United States, your information may be transferred to, stored, and processed in the United States and other countries where we or our Sub-Processors operate. These countries may have data protection laws that differ from those in your country of residence. By using the Services, you consent to the transfer of your information to the United States and other countries where we operate.

For users in the EEA, UK, or Switzerland, we implement appropriate safeguards for international data transfers, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Other legally recognized transfer mechanisms

10. Children's Privacy

The Services are not directed to individuals under the age of 18, and we do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take immediate steps to delete such information.

If you believe we have collected information from a child, please contact us immediately at privacy@prismera.ai.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

11.1 Right to Know

You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share personal information.

11.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain legal exceptions.

11.3 Right to Opt-Out of Sale or Sharing

We do not sell or share your personal information as defined by the CCPA/CPRA.

11.4 Right to Non-Discrimination

You have the right not to receive discriminatory treatment for exercising your CCPA/CPRA rights.

11.5 Authorized Agent

You may designate an authorized agent to make requests on your behalf. We may require verification of the agent's authority.

To exercise your CCPA/CPRA rights, contact us at privacy@prismera.ai. We will verify your identity before processing your request.

12. Data Processing Addendum

For customers subject to GDPR, CCPA, or other data protection regulations that require a data processing agreement, Prismera offers a Data Processing Addendum ("DPA") that supplements these terms and our Terms of Service. The DPA addresses data processing roles and responsibilities, security measures, Sub-Processor management, cross-border transfer mechanisms, and data subject rights procedures. The DPA is available upon request at legal@prismera.ai.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this Policy
• Provide prominent notice through the Services or by email notification
• Obtain your consent where required by applicable law
• Allow a reasonable period (at least thirty (30) days) for you to review changes before they take effect

We encourage you to review this Privacy Policy periodically. Your continued use of the Services after the effective date of any changes constitutes acceptance of the updated Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Prismera Labs, Inc.
Email: privacy@prismera.ai
Website: https://www.prismera.ai

General inquiries: support@prismera.ai
Legal matters: legal@prismera.ai

We will respond to your inquiry as promptly as possible, typically within thirty (30) days.